The UK FCA's first fine in respect of a cyber-attack

The FCA has fined Tesco Personal Finance plc (Tesco Bank) £16.4m for failures in respect of a cyber-attack impacting its current account and debit card customers. This is the FCA’s first penalty in respect of a cyberattack and its first enforcement action for a IT-related issue since the £42m RBS/NatWest/Ulster fine in November 2014.

The decision involves a novel penalty calculation with multiple seriousness weightings. It is a reminder of the importance of not only implementing adequate systems and policies to guard against and remediate any attempted cyber-attack, but also ensuring that these are implemented effectively including with adequate training and testing.

What happened?

Tesco Bank suffered a cyber-attack in November 2016. The attackers used an algorithm to generate authentic primary account numbers (PANs) of debit cards issued by Tesco Bank, using them to make numerous contactless transactions from Brazil and stealing £2.26m from 9,000 customer accounts over 48 hours.

Before the attack

The FCA concluded that Tesco Bank was particularly vulnerable to this type of an attack for the following reasons:

  1. Tesco Bank’s authorisation system was not configured to refuse contactless transactions, even though Tesco Bank’s debit cards were not intended to be used for contactless transactions.
  2. Inadvertently, the debit cards in circulation had sequential PANs, easing the attackers’ work.
  3. The authorisation system was only checking whether the submitted expiry date was in the future, not whether it matched the actual card details.
  4. Further, Tesco Bank’s fraud analysis system was programmed at account level, not card, level. This meant that transactions involving cards that Tesco Bank had previously replaced did not go through the system.

The FCA found that the attack was foreseeable and had been preventable, but Tesco Bank had taken inadequate action in response to the threat.

Following alerts from Visa and MasterCard up to a year beforehand, Tesco Bank had blocked contactless (“PoS 91”) transactions (which used the PAN number) for its credit cards – but did not take similar action in respect of its debit cards, even though Tesco Bank never intended for its debit card to be used for such contactless transactions.

During the attack

Tesco Bank’s Financial Crime Operations Team took 21 hours from the start of the attack to contact Tesco Bank’s Fraud Strategy Team. It failed to follow procedures for urgently contacting that team (instead simply emailing its fraud strategy inbox) and had incorrect contact details in its documentation. This significantly delayed the efficiency of Tesco Bank’s response to the breach.

Once the Fraud Strategy Team was alerted, they drafted a rule to block the transactions. The operation of this rule was not monitored, however, and the team only discovered that it had failed (because they had used the wrong country code) several hours later. After it was corrected, some transactions still slipped through and further work with external experts was required to identify the issue (account-level programming) that was causing the continued breaches.

Tesco Bank’s senior management were then informed and decided to block all online and contactless transactions for debit cards until the vulnerability was resolved. Throughout the duration of the breach, the FCA found that customers had received numerous early-morning fraud alert text messages, experienced long wait times during calls to Tesco Bank’s fraud call centre and suffered embarrassment and loss due to declined card transactions and direct debits.

The FCA also identified weaknesses in the training given to management regarding the invocation of crisis management procedures, which the FCA said should have been invoked earlier.

A breach of Principle 2

The FCA found that Tesco Bank breached Principle 2 (conduct of business with due skill, care and diligence) in respect of the design and distribution of its debit card, the configuration of specific authentication and fraud detection rules, and its response to the attack which was not “with sufficient rigour, skill and urgency”.

The FCA found that Tesco Bank had a clear financial crime governance framework, and that Tesco Bank had adequate fraud and crisis management procedures, but they were variously not invoked, understood or followed, in part due to inadequate internal training and rehearsal.

A novel penalty calculation

At Step 2 of its penalty calculation, the FCA chose not to use revenue as an indicator of harm because it did not relate to the amount of funds at risk. It formulated a different calculation method that we have not previously seen in an FCA notice. This was divided into two stages.

Stage A: “weighted aggregated balances at risk”

The FCA identified three distinct periods of misconduct and calculated the aggregated balances at risk (ABR) for each period. It then weighted each period’s ABR having regard to the length of the period and the seriousness of misconduct in that period.

It applied a 15% weighting for the 17 months up until the first Visa alert about possible fraud, a 40% weighting from then for 12 months until the attack began, and a 45% weighting for the four-day period of the attack.

Stage B: applying the seriousness multiplier

The FCA took the total of these three weighted amounts (£223.8m) and applied the sliding scale of percentages by overall level of seriousness as set out in DEPP. The FCA assessed seriousness at level 4, thereby applying a 15% factor to the Step 2 metric.

In support of its conclusion, it cited the significant risk of loss, the inconvenience and distress caused, the serious weaknesses in Tesco Bank’s controls, that the breach facilitated financial crime, and that the attack was foreseeable and preventable in support of this conclusion. This led to a Step 2 figure of £33.6m.

Substantial mitigation for co-operation

Tesco Bank received a 30% reduction in penalty at Step 3 to reflect its conduct during the investigation. Mitigating factors included that Tesco Bank:

  • Cooperated fully during the investigation. It provided information promptly, made senior management and external experts available to the regulator and participated in open meetings about technical and factual issues. Tesco Bank independently commissioned external reports including a root cause analysis and shared these findings with the FCA.
  •  
  • Fully supported the improvements that the external experts recommended. Tesco Bank worked closely with the FCA to keep it appraised of improvements and agreed to participate in a symposium to discuss the lessons it learned from the attack with banks, other regulators and law enforcement agencies.
  • Promptly instituted a comprehensive end-to-end review of its financial crime controls and debit card systems to identify deficiencies. Tesco Bank issued clearer guidance, enhanced staff training and expanded and trained its financial crime and risk teams. It also commenced, of its own initiative, a comprehensive consumer redress exercise which cost approximately £700,000.
  • Had stopped approximately 79.79% of the fraudulent transactions during the cyber-attack.

There was no increase at step 4, and Tesco Bank received a 30% settlement discount, resulting in a final penalty of £16.4m.

Future implications

This notice is a salutary reminder that firms can face significant penalties if they suffer cyber-risk incidents, even if their cyber governance framework appears appropriate on paper. Firms need, therefore, to ensure that the individuals who design and manage their cyber-crime controls understand how they work and that their crisis management plans are clear and well-rehearsed with appropriate periodic testing to check the effectiveness of the framework. This is so especially given that cyber-crime is an ongoing area of focus for FCA enforcement (see our notes on the FCA annual report and on enforcement trends for 2018).

The notice increases the continued uncertainty about how penalties are calculated. The FCA has demonstrated flexibility in substantially departing from the approach in DEPP – but such departures can present difficulties. In particular, Stage A applied weightings for each period including to reflect the seriousness of misconduct in that period. Stage B then applied a second weighting for seriousness. It is impossible to know the extent to which this issue affected the calculation, because the final notice gives no other reasons for the use of weightings in Stage A, but this approach is likely to have significantly reduced the final penalty. The question of the use of alternative metrics at stage 2 would benefit from detailed review and clarification in the FCA’s review of its penalty policy, which is reportedly due to be published by the end of 2018.

The notice gave some details about the co-operation by Tesco Bank which contributed to its 30% mitigation credit. That said, such measures are inevitably fact-specific and not always readily applicable to the circumstances of other cases. The FCA again suggested that the waiver of privilege indicated cooperation. The FCA should provide more clarity on these matters in its final Approach to Enforcement paper which is expected to be published later this year (see our interactive note on the 2018 consultation).